Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to: Allow PPTP traffic through a JUNOS-ES device with No NAT

0

0

Article ID: KB10459 KB Last Updated: 05 Mar 2017Version: 4.0
Summary:
How to allow PPTP traffic through a JUNOS Enhanced Services (JUNOS-ES) device with no NAT
Symptoms:
Problem Scenario:
  • JUNOS-ES device has subnet 10.10.10.0/24 on zone "trust".
      For this example, ge-0/0/0.0 is configured with IP 10.10.10.1/24.
  • JUNOS-ES device has subnet 192.168.1.0/24 on zone "dmz".
      For this example, ge-0/0/3.0 is configured with IP 192.168.1.1/24.
  • PPTP server is on zone "dmz" with IP address 192.168.1.100/24.
  • PPTP clients need to reach the PPTP server from zone "trust".
  • NAT is not configured between the two zones.
Solution:
Note: This article applies to JUNOS-ES version 8.5 or higher.


Configuration Example for PPTP pass-through without NAT:
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {         
    zones {
        security-zone trust {
            address-book {
                address local-net 10.10.10.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone dmz {
            address-book {
                address dmz-net 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/3.0;
            }
        }
    }
    policies {
        from-zone trust to-zone dmz {
            policy pptp-thru {
                match {
                    source-address local-net;
                    destination-address dmz-net;
                    application junos-pptp;
                }
                then {
                    permit;
                }
            }
        }
    }
}


Note that application junos-pptp is a pre-defined JUNOS-ES application. It includes TCP port 1723 as well as the PPTP ALG to dynamically permit the GRE traffic.

Displaying as set commands:
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/3 unit 0 family inet address 192.168.1.1/24

set security zones security-zone trust address-book address local-net 10.10.10.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address pptp-server 192.168.1.100/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz interfaces ge-0/0/3.0

set security policies from-zone trust to-zone dmz policy pptp-thru match source-address local-net
set security policies from-zone trust to-zone dmz policy pptp-thru match destination-address pptp-server
set security policies from-zone trust to-zone dmz policy pptp-thru match application junos-pptp
set security policies from-zone trust to-zone dmz policy pptp-thru then permit
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search